[RADIATOR] help with AuthBy LSA failure

Hugh Irvine hugh at open.com.au
Mon Jul 21 20:08:20 CDT 2008 

Hello Jason -

Thanks very much for the additional information.

The first problem with the undefined attributes is a number of HP  
vendor-specific RADIUS attributes included in the request:

> Mon Jul 14 11:18:23 2008: ERR: Attribute number 255 (vendor 11) is  
> not defined in your dictionary
>

Vendor 11 is HP, so you should ask them for their list of vendor- 
specific RADIUS attributes and send them to me so I can add them to  
the standard Radiator dictionary.

The second problem appears to be with your configuration file and/or  
certificates.

> Mon Jul 14 11:18:23 2008: DEBUG: Response type 1
> Prototype mismatch: sub Net::SSLeay::randomize (;$$) vs none at  
> (eval 48) line 1.
> Mon Jul 14 11:18:23 2008: ERR: TLS could not load_verify_locations , :
> Mon Jul 14 11:18:23 2008: DEBUG: EAP result: 1, EAP TLS Could not  
> initialise context

This usually indicates that Radiator is not able to find the  
certificates that you need for EAP.

If you download the Radiator source tarball and unpack it in a  
suitable directory, you can use the example configuration file and  
the example certificates like this in a terminal window:


	cd C:\your\Radiator\distribution

	perl radiusd -foreground -log_stdout -trace 4 -config_file goodies/ 
eap_peap.cfg

	.....

the example configuration files use the sample certificates located  
in the "certificates" directory of the Radiator distribution.

hope that helps

regards

Hugh


On 15 Jul 2008, at 01:22, Jason Mueller wrote:

> Hugh,
>
>> Can you please tell me what access server, what version of  
>> Windows, what version of Perl, and what version of OpenSSL you are  
>> running?
>
> NAS: HP5406zl running K.13.09; authenticating client on a 24-port  
> Ethernet Gig module (J8702A)
> Windows: Win2003 Server SP1
> Perl: 5.8.8 (ActiveState distribution)
> OpenSSL: 0.9.8g (Shining Light binary distribution)
>
> I have commented out "AutoMPPEKeys", as we will only need that for  
> our wireless users. Otherwise, there is not much to the config.
>
>
>> If you can send us a trace 5 debug it will help.
>
> A trace with debug level 5 is below:
>
> Mon Jul 14 11:18:14 2008: DEBUG: Finished reading configuration  
> file 'C:\Program Files\Radiator\radius.cfg'
> This Radiator license will expire on 2008-08-30
> This Radiator license will stop operating after 1000 requests
> To purchase an unlimited full source version of Radiator, see
> http://www.open.com.au/ordering.html
> To extend your license period, contact admin at open.com.au
>
> Mon Jul 14 11:18:14 2008: DEBUG: Reading dictionary file 'E:/ 
> Radiator/dictionary'
> Mon Jul 14 11:18:15 2008: DEBUG: Creating authentication port  
> 0.0.0.0:1812
> Mon Jul 14 11:18:15 2008: DEBUG: Creating accounting port 0.0.0.0:1813
> Mon Jul 14 11:18:15 2008: NOTICE: Server started: Radiator 4.2 on  
> iubiastest (LOCKED)
> Mon Jul 14 11:18:23 2008: ERR: Attribute number 255 (vendor 11) is  
> not defined in your dictionary
> Mon Jul 14 11:18:23 2008: ERR: Attribute number 255 (vendor 11) is  
> not defined in your dictionary
> Mon Jul 14 11:18:23 2008: ERR: Attribute number 255 (vendor 11) is  
> not defined in your dictionary
> Mon Jul 14 11:18:23 2008: ERR: Attribute number 255 (vendor 11) is  
> not defined in your dictionary
> Mon Jul 14 11:18:23 2008: ERR: Attribute number 255 (vendor 11) is  
> not defined in your dictionary
> Mon Jul 14 11:18:23 2008: ERR: Attribute number 255 (vendor 11) is  
> not defined in your dictionary
> Mon Jul 14 11:18:23 2008: ERR: Attribute number 255 (vendor 11) is  
> not defined in your dictionary
> Mon Jul 14 11:18:23 2008: ERR: Attribute number 255 (vendor 11) is  
> not defined in your dictionary
> Mon Jul 14 11:18:23 2008: DEBUG: Packet dump:
> *** Received from 129.79.9.37 port 1026 ....
>
> Packet length = 315
> 01 20 01 3b 4e 17 c8 b2 31 43 36 a9 2e 05 67 7a
> 1b a2 9a 64 0c 06 00 00 05 ba 04 06 81 4f 09 25
> 20 0a 6a 63 6d 2d 74 65 73 74 01 0a 6a 61 73 6d
> 75 65 6c 6c 06 06 00 00 00 02 07 06 00 00 00 01
> 05 06 00 00 00 18 3d 06 00 00 00 0f 57 05 41 32
> 34 1e 13 30 30 2d 31 37 2d 61 34 2d 62 62 2d 30
> 37 2d 30 30 1f 13 30 30 2d 31 36 2d 63 62 2d 38
> 61 2d 61 38 2d 37 65 4d 27 43 4f 4e 4e 45 43 54
> 20 45 74 68 65 72 6e 65 74 20 31 30 30 30 4d 62
> 70 73 20 46 75 6c 6c 20 64 75 70 6c 65 78 40 06
> 00 00 00 0d 41 06 00 00 00 06 51 05 31 30 30 4f
> 0f 02 16 00 0d 01 6a 61 73 6d 75 65 6c 6c 50 12
> 41 a3 49 ae d5 bd c6 90 ee 62 19 88 26 38 f1 a7
> 1a 0c 00 00 01 37 09 06 00 00 00 0b 1a 0f 00 00
> 00 0b ff 09 01 1a 00 00 00 0b 28 1a 0f 00 00 00
> 0b ff 09 01 1a 00 00 00 0b 2e 1a 0f 00 00 00 0b
> ff 09 01 1a 00 00 00 0b 3d 1a 0a 00 00 00 0b ff
> 04 01 38 1a 0a 00 00 00 0b ff 04 01 3a 1a 0a 00
> 00 00 0b ff 04 01 40 1a 0a 00 00 00 0b ff 04 01
> 41 1a 0a 00 00 00 0b ff 04 01 51
> Code:       Access-Request
> Identifier: 32
> Authentic:  N<23><200><178>1C6<169>.<5>gz<27><162><154>d
> Attributes:
>         Framed-MTU = 1466
>         NAS-IP-Address = 129.79.9.37
>         NAS-Identifier = "jcm-test"
>         User-Name = "jasmuell"
>         Service-Type = Framed-User
>         Framed-Protocol = PPP
>         NAS-Port = 24
>         NAS-Port-Type = Ethernet
>         NAS-Port-Id = "A24"
>         Called-Station-Id = "00-17-a4-bb-07-00"
>         Calling-Station-Id = "00-16-cb-8a-a8-7e"
>         Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
>         Tunnel-Type = 0:VLAN
>         Tunnel-Medium-Type = 0:802
>         Tunnel-Private-Group-ID = 100
>         EAP-Message = <2><22><0><13><1>jasmuell
>         Message-Authenticator =  
> A<163>I<174><213><189><198><144><238>b<25><136>&8<241><167>
>         MS-RAS-Vendor = 11
>
> Mon Jul 14 11:18:23 2008: DEBUG: Handling request with Handler ''
> Mon Jul 14 11:18:23 2008: DEBUG:  Deleting session for jasmuell,  
> 129.79.9.37, 24
> Mon Jul 14 11:18:23 2008: DEBUG: Handling with Radius::AuthFILE:
> Mon Jul 14 11:18:23 2008: DEBUG: Handling with EAP: code 2, 22, 13, 1
> Mon Jul 14 11:18:23 2008: DEBUG: Response type 1
> Prototype mismatch: sub Net::SSLeay::randomize (;$$) vs none at  
> (eval 48) line 1.
> Mon Jul 14 11:18:23 2008: ERR: TLS could not load_verify_locations , :
> Mon Jul 14 11:18:23 2008: DEBUG: EAP result: 1, EAP TLS Could not  
> initialise context
> Mon Jul 14 11:18:23 2008: DEBUG: AuthBy FILE result: REJECT, EAP  
> TLS Could not initialise context
> Mon Jul 14 11:18:23 2008: INFO: Access rejected for jasmuell: EAP  
> TLS Could not initialise context
> Mon Jul 14 11:18:23 2008: DEBUG: Packet dump:
> *** Sending to 129.79.9.37 port 1026 ....
>
> Packet length = 36
> 03 20 00 24 d9 67 5f a3 a4 0c f9 aa b2 0c 1b 45
> b2 69 ed be 12 10 52 65 71 75 65 73 74 20 44 65
> 6e 69 65 64
> Code:       Access-Reject
> Identifier: 32
> Authentic:   
> <217>g_<163><164><12><249><170><178><12><27>E<178>i<237><190>
> Attributes:
>         Reply-Message = "Request Denied"
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

More information about the radiator mailing list